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generating rules for said hosts based on said assigned roles, said rules determining 
whether a packet is passed to a destination host. 

2. The method of claim 1, wherein a configuration file is generated for a plurality of 
5 firewalls in said network. 

3. The method of claim 1, wherein a security policy for said network is expressed in terms 
of said roles defining network capabilities of sending and receiving services. 

10 4. The method of claim 1, wherein a plurality of said roles are combined into role-groups 

that may be assigned to one or more hosts. 

5. The method of claim 1, wherein a plurality of said hosts are combined into a host-group 

that may be assigned a role or a role-group. 
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6. The method of claim 1, further comprising the step of providing a visual representation 

of the structure of said hosts in said network. 



7. The method of claim 1, further comprising the step of providing a visual representation 
20 of a set of rules in said configuration file. 

8. The method of claim 1, wherein said generating step is performed by a vendor-specific 
compiler that produces a vendor-specific firewall configuration file. 

25 29. (Amended) A method of generating a security policy for a network, said network 

including a plurality of hosts, said method comprising the steps of: 

receiving a definition for a plurality of roles that specify the ability of a host to send and 
receive packets, wherein each of said roles may be assigned to said hosts independently of a topology 
of said network; 

30 receiving an assignment of said roles to said hosts in said network; and 
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generating said security policy from said received definitions and assignments. 

30. The method of claim 29, further comprising the step of translating said security policy 

into at least one configuration file for a firewall on said network. 

5 

• 31. The method of claim 30, wherein said configuration files are generated for a plurality 

of firewalls in said network. 



32. The method of claim 29, wherein a plurality of said roles are combined into a role-group 
10 that may be assigned to a host. 

33. The method of claim 29, wherein a plurality of said hosts are combined into a host-group 
\ that may be assigned a role or role-groups. 

15 34. The method of claim 29, further comprising the step of providing a visual representation 

of the structure of said hosts in said network. 



35. (Amended) A compiler for generating a configuration file for a firewall in a network, 

said network including a plurality of hosts, comprising: 
20 a memory for storing computer-readable code; and 

a processor operatively coupled to said memory, said processor configured to execute 
said computer-readable code, said computer-readable code configuring said processor to: 

receive a definition for a plurality of roles that specify the ability of a host to send and 
receive packets, wherein each of said roles may be assigned to said hosts independently of a topology 
25 of said network; 

receive an assignment of said roles to said hosts in said network; and 

generate rules for said hosts based on said assigned roles, said rules determining whether 
a packet is passed to a destination host. 
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